﻿--[[
Rule name: Shellshock vulnerability
Filtering stage: Request phase
Threat level: Critical
Rule description: Detect attacks on the GNU Bash RCE vulnerability 'Shellshock' (CVE-2014-6271 and CVE-2014-7169)
--]]


local kvFilter = waf.kvFilter
local rgx = waf.rgxMatch
local requestLine = waf.requestLine
local urlDecode = waf.urlDecode

local function rMatch(v)
    local m = rgx(urlDecode(v), "\\(\\s*\\)\\s+{", "jos")
    if m then
        return m, v
    end
    return false
end

local m, d = kvFilter(waf.reqHeaders, rMatch)
if m then
    return m, d, true
end

local m, d = rMatch(requestLine)
if m then
    return m, d, true
end

return false